Achieving GDPR Compliance In Record Time

Retail Industry | United States

PRESSING DEADLINE REQUIRES TEAM WORK

A global retailer with operations in multiple countries faced challenges preparing to meet data privacy rules under GDPR. With just over two months to spare and 600 applications with potentially relevant PII (personally identifiable information), they knew they needed help.
Organizations in breach could be subject to costly fines – up to 20 million euros or 4 percent of annual global turnover.

Meeting this deadline required overcoming a number of challenges:

Preparing for GDPR compliance without an accurate data map of what they have: starting with an Excel spreadsheet of 600 applications which may have relevant PII
Being new or a lay-person in data mapping, process flows, and the organization of data; in the beginnings of designing their information governance (IG) program and awareness
A low probability of meeting their deadline without resources who could ask questions in a knowledgeable way and bring familiarity with data mapping and process analysis
Resource constraints impacting their ability to be successful; the legal team needed high-performing resources with the right skills to assess current data management practices and systems

ISSUE

GDPR compliance goals on an accelerated schedule.

SOLUTION

Partner with Information Governance professionals and legal counsel to achieve results

BENEFITS

Confidence in requirements supporting GDPR compliance.
Lowering of threats to privacy risk. Raising awareness of protection requirements and best practices.

SERVICES DELIVERED

Current State Analysis
Data Map Development
Policy and Process Development
Program Assessment and Roadmap
Requirements Development

The senior counsel reached out to the internal global records manager for help with resources with IG subject matter expertise. Legal needed people who could hit the ground running and get up to speed quickly. Realizing that internal expertise wasn’t available and time was critical, Access Sciences was engaged, joined the team in a virtual strategy session, and began on-site interviews with business and technical stakeholders 24 hours later.

Our expertise in information governance was important in understanding the relationships between PII, the systems, and the supporting business processes. Right away we were able to contribute by:

Reaching a common understanding of tools, approach, and goals

Conducting interviews with business and technical SMEs for each system

Building data maps as a way to fully understand and document where PII is stored, what attributes are collected, who the internal and external parties are that access it, and help our client assess risk

Building process diagrams to document the information flows, entities, and systems that touch PII

THANKS FOR A JOB WELL-DONE

At the project conclusion meeting, our clients reached across the table for high-fives all around. We successfully met the project’s deadline and stayed under budget. In a little over 2 months, we completed 22 interviews, 39 data maps, and 40 process diagrams for 14 key business processes where PII is processed and retained.

The project generated several benefits for the client:

Robust data mapping and information flows lowered risk for Article 30 compliance
On-time completion enabled the client to review technical and organizational measures for data security, impact assessments, and document records of processing
Interviews raised awareness with stakeholders about GDPR requirements and good information management practices
Higher visibility into information built a strong foundation for decision-making

DOWNLOAD CASE STUDY